Fixing fundamental flaws in primary cyber insurance policies
There is a lack of insurance coverage certainty when it comes to transferring cyber risk. It has been a fundamental issue playing on the minds of cyber insurance brokers and risk managers for some time – there is a wide gap between the coverage sets available in the marketplace today, and the coverage certainty that risk managers and insurance buyers are looking for.
This gap is a result of some fundamental flaws in primary cyber policies, according to Nick Economidis, vice president, eRisk at Crum & Forster, who said there are too many missing or sublimited coverages in primary cyber policies. For example, a typical primary cyber policy will often contain a sublimit for dependent business interruption and no coverage for damage to computer equipment (also known as ‘bricking’) from a triggering cyber event.
There’s also the issue of silent cyber or non-affirmative cyber risk, which refers to cyber-related losses stemming from traditional property and casualty policies that were not specifically designed to cover cyber risk. Many insureds and risk managers still make the error of thinking their primary cyber policy will cover silent cyber risk across their portfolio, when, in fact, this is well beyond the scope of most primary policies.
To tackle some of these issues, insureds may want to look to emerging excess insurance products, explained Economidis. He highlighted a new cyber umbrella program brought to market in May 2020 by AmWINS Group in partnership with Crum & Forster, called CyberUP. The CyberUP policy offers lead umbrella position over primary cyber coverage. It has a difference in condition (DIC) component that grants broad coverage for cyber risks that are missing or sublimited on primary policies, as well as excess coverage for silent cyber exposures not covered by traditional P&C insurance, resulting from a cyber event.
“I’ve seen enough primary cyber programs at this point to know that there are issues that need fixing,” Economidis told Insurance Business. “I’ve seen no shortage of policies that miss coverage that most cyber specialists would consider to be pretty basic necessities, such as coverage for systems failure, cryptojacking and bricking. I still see a lot of primary cyber policies that either do not cover those exposures, or they have very low sublimits.
“Bricking is an interesting one to highlight. Most customers have a significant investment in computer equipment, but they’re looking at a sublimit for bricking coverage that could be $100,000 or $250,000. When you consider the delta between that sublimit and the asset value on the balance sheet for that computer equipment, there’s going to be a big gap – and that’s something that I think a lot of risk managers are concerned about.”
The CyberUP policy is described by David Lewison, senior vice president and Professional Lines Practice leader of AmWINS, as “a true umbrella form that provides coverage without overlapping other policies,” as long as a loss is “triggered only by a cyber-related event.” The main exclusions are things like criminal, fraudulent or malicious acts, or mass events involving infrastructure, war, pollution or nuclear radiation, which would impact lots of policyholders at one time.
“I would encourage risk managers and cyber insurance buyers to consider the benefits of excess cyber coverage. While there’s likely to be a price difference, they should consider whether they think the additional coverage afforded by products like CyberUP is worth the difference in premium,” Economidis added. “If you’re already buying cyber coverage, why wouldn’t you want the ability to cover things that are missing from or are sublimited by your insurance program? It just seems like obvious due diligence to me.”
Moving forward, Economidis expects a lot more growth in the excess cyber insurance market, especially as brokers, risk managers and policyholders start to understand the coverage certainty that the emerging products can provide. He commented: “I’d say about 51% of the market buys excess cyber coverage today because: 1) they’re looking for additional limits; and 2) brokers do it as a tactic to stack coverage for items that are sublimited. When you think about social engineering or dependent business interruption exposures – if those items are sublimited to $500,000 in the primary policy, they’re able to get an additional $500,000 of coverage by stacking an excess layer on top. I expect we’ll continue to see a lot of growth in this market moving forward.”